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We consider a strategic problem of the Evesdropping to quantum key distri- 
bution. Evesdropper hopes to obtain the maxium information given the distur- 
bance to the qubits is often For this strategy, the optimized individual attack 
have been extensively constructed under various conditions. However, it seems 
a difficult task in the case of coherent attack, i.e., Eve may treat a number of 
intercepted qubits collectively, including the collective unitary transformations 
and the measurements. It was conjectured by Cirac and Gisin that no coherent 
attack can be more powerful for this strategy for BB84 protocol. In this paper 
we give a general conclusion on the role of coherent attacks for the strategy of 
maxmizing the information given the disturbance. Suppose in a quantum key 
distribution(QKD) protocol, all the transmitted bits from Alice are independent 
and only the individual disturbances to each qubits are examined by Alice and 
Bob. For this type of protocols( so far almost all QKD protocols belong to this 
type), in principle no coherent attack is more powerful than the product of op- 
timized individual attack to each individual qubits. All coherent attacks to the 
above QKD protocols can be disregarded for the strategy above. 
Since Bennett and Brassard |[| suggested their quantum key distribution protocol(BB84 
protocol) in 1984, the subject has been extensively studied both theoretically and experimen- 
tally. The protocol allows two remote parties Alice and Bob to create and share a secret key 
using a quantum channel and public authenticated communications. The quantum key cre- 
ated in this way is in principle secure because eavesdroppers have no way to tap the quantum 
channel without disturb it. In the protocol, k independent qubits( such as photons) \Qa) are 
first prepared by Alice, each one is randomly chosen from a set of states V. In BB84 scheme 
V = {|0), |1), |0), |1)}, |0), |1) are bases of Z and |0), |1) are bases of X. According to each 



* email: wang@qci.jst.go.jp 




Abstract 



1 



individual states, she writes down a string of classical bits, Sqa- She then sends them to Bob. 
Bob measures each individual qubits in basis randomly chosen from Z or X. For those Bob has 
happened to choose the correct bases, the results should be identical to the corresponding bits 
in Soa- Alice and Bob discard the bit values where Bob measures in a wrong basis. After that, 
Alise has a string Sa and Bob has a string S'a- The shared secret key for Alice and Bob can be 
built up based on this. In the case of noiseless channel without Eve., Sa should be identical to 
S' A and no third party knows any information about Sa- So far there are many new proposals 
on QKD scheme. For example, the 6 state protocol ||, the d— level qubit protocol U and so 
on. 

Normally, one can classify Eve's attack into two classes. In an individual attack, Eve 
operates the qubits from Alice individully with her ancilla. In such an attack, Eve's information 
to each qubit is independent. In a coherent attack, Eve may operate a number of qubits from 
Alice collectively with her ancilla by all possible unitary transformations and measurements. In 
this paper, we give a general proof for the Cirac-Giain conjecture [|J. It was shown that, Eve's 
total information in average about the raw bits given a fixed disturbance does not increase 
through 2-qubit coherent attack. No 2— qubit coherent attack can be more powerful than the 
optimized individual attack which maxmizes Eve's total information about the raw key given 
the disturbance. It is conjectured M that the conclusion can be also correct for a coherent 
attack on arbitrary number of qubits from Alice. But no strict proof has been given there. So 
far it is not clear on how Eve's total information about the raw key is connected to the security 
of the final key shared by Alice and Bob in the security proofs for the final key • 
However, they could have a relationship by many people's intuition, since there is indeed a 
relationship between Eve's information of raw key and the security of the final key in classical 
private information . Cirac-Gisin conjecture could be useful in the future when we are clear of 
the role of Eve's information about the raw key. 

In our proof, we require that Bob measure every received qubit independently. This re- 
quirement is used by all QKD protocols proposed so far. However, we don't add any constraint 
to Eve in the coherent attack. The quantity of disturbance is measured by the error rate on 
Bob's measurement result. Here we assume all errors are caused by the channel noise which 
includes the action of Eve. We will consider the BB84 protocol in our proof, but the conclusion 
is obviously correct for all protocols raised so far. 

Most generally, we assume Eve first intercepts state \Qa) from Alice which includes n 
qubits, she takes a unitary transformation Uae on both \Qa) and her own ancillas state \E). 
After this transformation, she sends those quibits originally from Alice to Bob and keeps the 
ancillas. Finally she meassures her ancilla to obtain the information about Sa in the future. 
Here the final measurement Me can be any type of POVM and not limited to the projective 
measurement. Bassically, there are two types of attack, the individul attack and the coherent 
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2 ■ ■ ■ O n . More prcisely, in an individual measurement, Eve's operation on the qubits can be 
described by 

6\Q A )E) = M E1 ■ UaeiIQai)^) M E2 ■ U AE2 \Q A2 )\E 2 ) ®---M En - U AEn \Q An )\E n ) (0.1) 

Where state \Ej) is the z'th ancilla which is attached to the i'th qubit from Alice \Q A j). U AEi 
is is the unitary transformation on state \Q A i)\Ei), M Ei is certain measurement on zth ancilla. 
Therefore an individual attack can be defined as 

61 <g> 6 2 <g> • • • 6 n = M El U AEl <g> M E2 U AE2 <g> • • • M En U AEn . (0.2) 

That is to say, in an individual attack, both the unitary transformation U AE and the measure- 
ment M E are factorizable. However, in a coherent attack, there is no restriction to either U AE 
or the measurement M E . What we shall show is that, given disturbance to \Q A ), it is enough 
for Eve to use the individul attack only in order to obtain the maximum amount of information 
about S A . 

Basically, there are two quantities I EA and D in evaluating the security of a protocol under 
eavesdropper's attack. Here I EA is the amount of information about S A eavesdropper can 
obtain after the attack, D is the disturbance to \Q A ). Most generally, D can be defined as the 
distance between Q A and p' A , where p' A is the state sent to Bob from Eve. Here we assume 
in the QKD protocols Bob and Alice only examine the individual disturbance to each qubits. 
For example, Bob takes the independent measurements to each individual qubits, each qubits 
have the equal probability to be chosen for the check. The disturbance is measured by Bob's 
error rate of his measurement results for those qubits which are chosen for the check. So far 
all QKD protocols work in such a way to estimate the disturbance. Therefore the detectable 
disturbance is dependent on the average disturbances to each individual qubits, {A}- 

Given the protocol and the attacking scheme, the attacking results are in general different 
for different initial state Q A . Here we evaluate an attacking scheme by the average effect on all 
possible \Q A ). That is, if eavesdropper chooses the optimized attack over n qubits intercepted 
from Alice, the security is evaluated by the quantities averaged over all possible states for the 
n independent qubits, each of which are randomly chosen from certain set as required by the 
specific QKD protocol itself, and all possible actions( such as the independent measurements) 
Bob may take to the n qubits received. The ensemble averaged quantity are denoted by {I EA ) 
and {(A)} = {{Di), {{D 2 )} • • • {(Dk)} for a QKD protocol under ceratin attack. 

In any attacking scheme, to the eavesdropper the information obtained should be the larger 
the better while the disturbance should be the less the better. Given disturbance {(A)}, we 
define the optimized attack 0({(A)}) as the one by which the eavesdropper gains the maximum 
information among all possible attacking schemes with the same disturbances. 
Theorem: No (coherent) attack can be more powerful than the optimized individual 
attack for Eve's strategy of maximizing the total information given the disturbance. 
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Here we put the word coherent inside brackets because the theorem holds for all attacks, 
however, only coherent attacks need a proof. 

Specifically, if eavesdropper is attacking m qubits which are being transmitted from Alice 
to Bob, she can have two different attacks. One is the coherent attack O cm . After this attack, 
the disturbance to the zth qubit is (-Dj). The other is the product of individual attack O m = 
Oo(l) ® Oo(2) <£>•■■<£> Oo(m). After this attack, the disturbance to ith qubit is also (-Dj). That 
is to say, to each individual qubit, the individual attack O m causes the same disturbance as the 
coherent attack does. Oo(i) is the optimized individual attack to qubit i given the disturbance 
(Dj). Explicitly, we give the following definition on optimized individual attack O (i) with 
fixed disturbance: 

Definition for the notation Oo(i): When the disturbance (Di) is given, eavesdropper may 
obtain the maximum information through Oo(i), among all individual attacking schemes. There 
is not any individual attacking scheme by which Eave can obtain more information about the 
i's bit than that by scheme Oo(i). 

To show the theorem, we need only show the following Lemma: 
Lemma: No ( coherent) attack O cm can help the eavesdropper to obtain more information 
than the individual attacking scheme O m as defined above. 
To show this, we use the following idea: 
Step 1. When m — 1 it is obviously correct. 
Step 2. Assume the it is true when m — n — 1. 

Step 3. We can then prove it must be also true in the case of m — n. 

Now we show Step 3 based on the assumption in Step 2 and Step 1. We shall do it in the 
following way: 

Suppose the phrase in step 3 is not true. Then there must be a a coherent attack O cn which 
can outperform the individual attack O n . Here O cn can include any collective treatments such 
as the coherent unitary transformations and the coherent measurments to the n qubits Eve. 
has intercepted from Alice( and Eve's ancilla). Then we can construct a game G which is an 
individual attack to one qubit from Alice. After the game G we find Oo(i) is not the optimized 
individual attack to a single qubit because it does not work as effectively as game G. This 
conflict shows that the Lemma must be true. 

The game G is played in this way: When Alice and Bob is carrying out the QKD programme, 
eavesdropper asks her friends Clare and David do the same QKD protocol. Eavesdropper inter- 
cepts 1 qubit from Alice, and n — 1 qubits from Clare. Without loss of generality, eavesdropper 
may put the qubit from Alice at the nth order in this group of qubits. We denote these n 
qubits as \Qca)- She then carries out the O cn to these n qubits. Since the first n-1 qubits 
can be regarded as ancillas attached to the only qubit from Alice, O cn here is an individual 
attack to the qubit from Alice, although it were a coherent attack if all n qubits had been from 
Alice. After certain operation as required in O cn , \Qca) is changed into p' CA and then she sends 
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the nth bit to Bob and the first n — 1 bits to David. Let David then play the role as Bob to 
those n — 1 qubits. When she completes everything required in O cn , she asks Clare announce 
the exact information about the first n — 1 bits. We can show that, with this announcement, 
eavesdropper's information to the nth bit, i.e., the only Alice's bit, is larger than that from the 
individual attack Oo(n). Note that, to the qubit from Alice, the game G here is an individual 
attack. All n — 1 qubits from Clare can be regarded as part of Eve's ancilla. This shows 
that we can use game G, a new individual attack to outperform the optimized individual at- 
tack O (n) given the disturbance (D n ). This is obviously impossible, because we have already 
assumed that Oq(u) is the optimized individual attack given (Di). 

Now we give the mathematical details of the game G above. Using the Shanon entropy 



17l i |l8i we have the following quantity for the (average) degree of uncertainty corresponding to 



coherent attack O. 



en ■ 



H(O cn ) = - X; P(X, x n ) \ogp(X, x n ). (0.3) 

X,x„ 

X — x\ , Xi • • • , x n -i and p(X, x n ) is eavesdropper's probability distribution for the n bits. With 
the definition of X, the mathematical symbol (X,x n ) is nothing but (xi,X2, ■ ■ ■ ,x ni ,x n ). We 
write it in the form of (X, x n ) because we will play some tricks to x n latter. Note that given 
different input states \Qa) an d different measurement basis taken by Bob, the same attacking 
scheme may lead to different output Y. In general Eve's probability distribution is dependent 
on the outcome Y. Here the bar over J2x,x n P(X, x n ) \ogp(X, x n ) reprents the averaged result 
over all different Y. Thus the entropy H(O cn ) here is the average entropy over all possible Y. 
This bar average, the average over different outcome for one configuration, is different from the 
ensemble average, which is the average over different configurations. The formula above shows 
how uncertain Eve is to the n bits after she completes her coherent attack O cn on the n qubits 
( first n — 1 originally from Clare, the last one from Alice), but before Clare announces the 
exact information for his n — 1 bits. 

We also have the (average) entropy corresponding to the individual attack O n 

n 

H(d n ) = Y,H(O (t)), (0.4) 

i=0 

and 



H{O (i)) = -X^(x) logPi(a:), (0.5) 

X 

Pi(x) is eavesdropper's probability distribution for the value of the iih the bit through the 
individual attack O (i). Again, H(Oq) is the average entropy for all possible outcome of one 
configuration. The disturbances casued by the two attacks are same. Therefore if the coherent 
attack O cn here is more powerful than the individual attack O n = Oq(1) ® Oq(2) ■ ■ ■ <g> Oq(ti) we 
must have the following inequality for the ensemble averaged entropy 
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(i^Ocn)) <<£#(<%(*))>. (0.6) 



i=0 



Now eavesdropper asks Clare announce bits information to his n — 1 bits. With the exact 
information about the first n — 1 bits, eavesdropper's new average entropy through game G is 



(H'(O cn )} = (H(O m )) + (5>(X) logppT)}. (0.7) 

Here p(A) is eavesdropper probability ditribution to the first n — 1 qubits just before Clare's 
announcement, p(AT) = p(A, ^n)- 

Since we have assumed the the Lemma to be true in the case m = n — 1, i.e., eavesdropper's 
information to the first n— 1 bits through any coherent attack( and also any other attack) should 
never be larger than the information obtained through the individual attack O n -\ before Clare 
announces the exact results. Therefore we have 

rt-l 



-<5>(X) logp(X)) > (£ H(O (i))). (0.8) 

X i=l 

Combining this with the eq([L6]) and eq ( p.7|) we have the following inequality 

(H\O cn )) < (H(6 {n))). (0.9) 

Now eavesdropper has the exact information to the first n — 1 bits, H'(O cn ) can also be in- 
terpreted as Eve's entropy of the nth bit through game G. The inequality( |0.9| ) shows that 
eavesdropper's information on the single bit initially from Alice through game G is larger than 
her information on the same bit through Oo(n). And also we have assumed the disturbance to 
that bit caused by game G is equal to thai caused by Oo(n). This is to say, game G, which 
is an individual attack to Alice's qubit, can help eavesdropper to obtain more information to 
the the bit than the optimized individual attack to the bit with same disturbance. This con- 
flicts with our definition about optimized individual attack given the disturbance. Thus the 
inequality ( |0.6j ) must be wrong. Therefore we obtain our theorem. 

Thus we draw the following conclusion: 
Suppose in in a QKD protocol, all the transmitted bits are independent and the measurements 
are carried out to each individual qubits independently. To this type of protocols, no coherent 
attack can be more powerful than the product of optimized individual attack O n for Eve's strategy 
of maxmizing the total information given the disturbance. 

Remarks: Our conclusion is only for the raw key stage. With our result, the conclusions 
in ref f2|, ref |§ and ref |13| on Eve's maximum information through individual attack to 



the 6 state protocol, d-level state protocol and 3-level state protocol are also correct in the 
coherent attack case. It should be interesting to investigate the role of coherent attacks with 
the error correction and privicy amplification being taken into consideration. We believe our 
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result here can be useful in the future study of this case. For example, it is generally believed 
that a QKD can be unconditionally secure after the error privicy amplification, given that 
Eve's information smaller than Bob's information in the raw key stage. Our result can greatly 
simplify the estimation of Eve's maximum information, therefore the explicit formula as the 
creteria of security can be obtained easier. In the cases that the raw key is directly used for 
the secrect communication, coherent attacks can be disregarded. 

In the end of this paper, we have to clarify something. Although we have proven the Cirac- 
Gisin conjeture in a rather general sense, we are not clear on the role of our conclusion in 
the most important topic of the optimized Eve's attack towards the final key in the subject 
of quantum key distribution. On the other hand, here the strategic problem is for the total 
information, however, the total information at that step is not everything in the whole game 
of quantum key distribution ]nj. In the strategic problem above, there is no test for Alice and 
Bob. This shows we have assumed that the error rate in the test is equivalent to the disturbance 
caused by Eve. This is in general not true because there can be a statistical deviation and only 
the subset that passes the test will interest the Evesdropper. However, this issue can be resolved 
in the case that the number of qubits in the QKD job between Alice and Bob is much larger 
than the number of qubits intercepted for the conherent attack, i.e. k » n. This has been 
illustrated in ref 
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